[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1065376: marked as done (bookworm-pu: package libxml-stream-perl/1.24-4+deb12u1)

Your message dated Sat, 29 Jun 2024 10:46:16 +0000
with message-id <E1sNVay-002bas-UP@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1065376,
regarding bookworm-pu: package libxml-stream-perl/1.24-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1065376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065376
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libxml-stream-perl@packages.debian.org
Control: affects -1 + src:libxml-stream-perl
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I've uploaded libxml-stream-perl/1.24-4+deb12u1 to bookworm in order
to fix #1064058.

The upload contains the same patch which is in unstable (and testing)
since 2 weeks.

The patch adjusts the code to a change in IO-Socket-SSL 2.078
regarding hostname verificaton; without this change, SSL connections
with libxml-stream-perl are broken, which also breaks libnet-xmpp-perl
and all users of libnet-xmpp-perl like sendxmpp (cf. the merged
bugs).

Complete debdiff attached (please note that the only relevant part
are the 3 lines in lib/XML/Stream.pm, as the tests are not run during
package build in Debian)


Cheers,
gregor

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmXklDdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZxJBAAvYW8KRtJkFGjw9HegALvoKjjOKNTupQIXGXWkUESmXIb/fbWii0CE7k6
8rwMV6ujsnHIZyT51kua9JGGMy36MWi9+sRq2dOVeYamCwPjF/x/iZgOJT8W9n3A
M+bVNaYhtgW1YOrRVcfBRRopPhEqWlhk1K7zuzOr+N4j+5vK9RoJSQzpCuLtIiD7
Jhs9r0Bspox3Xl0MQNrvZKrlNjFgZseo8UyzgBhwh3O1+KdZr5HZZb/p1Br0GZ+P
Dfvr4ZWnm2KVd2c0GvirBDSv1KdetOnieqCUrqHRtfNn5AftUhIXEEUN1EGfrE1s
mv2MYq5t0ygFRf6EJyrQ3nEde/FwyjHmRmuoHRqiRA2DPrq1yNe4QFrUBV2ylJ1X
kCfipKKEeXSyqOmD6whqmTvPbXtMVjckVeQV/J/NlWqULQ24pIsLyfmKebFmQ8bW
3pPeeXlkCDVAcpYBWNtKFtybllyc0i7UKzEznugkSqZiPk3uCEASDovizmuw0SBq
T55M9PGILDyvhCTyrhaHMlt3xJ6pAT8o6EB5fKM9GI9lxoNMEJ+eHMRdbuA8B1s8
BtC+CrK5NuA7chTwBUBYU18BZLzTibC1VxhOafuSy2cbimKVf6x41wgLn6+xenta
JaJmQBPEUtdkwEnl5tyMjoxUqFhyyVTwqAlFcYzEdqMmilYXOU0=
=1lnC
-----END PGP SIGNATURE-----

diff -Nru libxml-stream-perl-1.24/debian/changelog libxml-stream-perl-1.24/debian/changelog
--- libxml-stream-perl-1.24/debian/changelog	2021-01-20 18:34:25.000000000 +0100
+++ libxml-stream-perl-1.24/debian/changelog	2024-03-03 16:02:42.000000000 +0100
@@ -1,3 +1,13 @@
+libxml-stream-perl (1.24-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * Add Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
+    to adjust to IO::Socket::SSL >= 2.078.
+    Thanks to Manfred Stock for the bug report and the patch.
+    (Closes: #1064058)
+
+ -- gregor herrmann <gregoa@debian.org>  Sun, 03 Mar 2024 16:02:42 +0100
+
 libxml-stream-perl (1.24-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch
--- libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxml-stream-perl-1.24/debian/patches/Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch	2024-03-03 16:02:42.000000000 +0100
@@ -0,0 +1,85 @@
+From 7d3de1e8afe7eb46d7bda336fb1f54d3b75f4e6d Mon Sep 17 00:00:00 2001
+From: Manfred Stock <m-cpan@nfred.ch>
+Date: Fri, 16 Feb 2024 10:45:43 +0100
+Subject: [PATCH] Set SSL_verifycn_name parameter to fix hostname verification
+
+IO-Socket-SSL 2.078 reverted a "decision from 2014 to not verify
+hostname by default if hostname is IP address but no explicit
+verification scheme given" [1]. Since start_SSL uses SSL_verifycn_name
+or SSL_hostname when verifying the hostname and falls back to the IP
+address of the peer if neither of them are set, the hostname
+verification failed with newer versions of IO-Socket-SSL even if the
+certificate presented by the peer was valid.
+
+Passing SSL_verifycn_name to start_SSL fixes this issue. The logic to
+determine the parameter value is based on my current understanding of
+[2] and thus uses the same logic that is also used in OpenStream to
+determine the 'to' address in the initial stream header.
+
+[1]: https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
+[2]: https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1
+
+
+Bug: https://github.com/dap/XML-Stream/pull/28
+Bug-Debian: https://bugs.debian.org/1064058
+
+---
+ lib/XML/Stream.pm |  3 +++
+ t/tcpip2ssl.t     | 21 +++++++++++++++++----
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/lib/XML/Stream.pm
++++ b/lib/XML/Stream.pm
+@@ -632,6 +632,9 @@
+     {
+         my %ssl_params = (
+             SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
++            SSL_verifycn_name => $self->{SIDS}->{newconnection}->{to}
++                ? $self->{SIDS}->{newconnection}->{to}
++                : $self->{SIDS}->{newconnection}->{hostname},
+         );
+ 
+         if ( 0x00 != $self->{SIDS}->{newconnection}->{ssl_verify} )
+--- a/t/tcpip2ssl.t
++++ b/t/tcpip2ssl.t
+@@ -1,13 +1,13 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests=>3;
++use Test::More tests=>5;
+ 
+ SKIP:
+ {
+     eval("use IO::Socket::SSL 0.81;");
+-    skip "IO::Socket::SSL not installed", 2 if $@;
+-    skip "No network communication allowed", 2 if ($ENV{NO_NETWORK});
++    skip "IO::Socket::SSL not installed", 4 if $@;
++    skip "No network communication allowed", 4 if ($ENV{NO_NETWORK});
+ 
+     BEGIN{ use_ok( "XML::Stream","Tree", "Node" ); }
+ 
+@@ -28,9 +28,22 @@
+                                       ssl=>1,
+                                       ssl_verify=>0x00,
+                                       timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'jabber.org', 'SSL_verifycn_name set' );
+ 
+-        skip "Cannot create initial socket", 1 unless $stream;
++        skip "Cannot create initial socket", 2 unless $stream;
+         
+         ok( $stream, "converted" );
++
++        $stream->Connect(hostname=>"jabber.org",
++                         to=>'example.com',
++                         port=>5223,
++                         namespace=>"jabber:client",
++                         connectiontype=>"tcpip",
++                         ssl=>1,
++                         ssl_verify=>0x00,
++                         timeout=>10);
++        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
++            'example.com', 'SSL_verifycn_name set to "to" value' );
+     }
+ }
diff -Nru libxml-stream-perl-1.24/debian/patches/series libxml-stream-perl-1.24/debian/patches/series
--- libxml-stream-perl-1.24/debian/patches/series	2021-01-20 18:34:25.000000000 +0100
+++ libxml-stream-perl-1.24/debian/patches/series	2024-03-03 16:02:42.000000000 +0100
@@ -1,3 +1,4 @@
 t_upstream_uninitialized_value.diff
 default-ca-path.patch
 0001-Do-not-die-when-hostname-cannot-be-resolved.patch
+Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch

--- End Message ---
--- Begin Message --- 
Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---
Reply to: